Introduction

The AAF supports OpenID Connect (OIDC) connectivity and operates an OpenID Provider (OP) which authenticates users who have an account at any AAF subscriber Identity Provider (IdP). This service is a production choice available to AAF subscribers to connect their OIDC services to the Federation. This is an maturing service and at this stage only supports a subset of attributes/claims (for attribute requirements outside this range, please contact us to discuss). 

 

There are no service management interfaces or self-service options for registering or managing a connector. The AAF Support  is the key contact for all service requests and changes to connectors. A registration and management interface is currently under development a should be available in early 2023.



Attributes / Claims


These are the attributes/claims Central can provide to an RP currently:


Supported ScopesClaims
openid
Returns the sub claim, which uniquely identifies the user. In an ID Token, iss, aud, exp, iat, and at_hash claims will also be present.
profile
Returns claims that represent basic profile information, including name, family_name, given_name and preferred_username,
emailReturns the email claim, which contains the user's email address.
phoneReturns the phone_number of the user. Not many AAF IdPs will return this value
aueduperson
Returns the users au_edu_person_shared_token value

eduperson_affiliation

Returns the users eduperson_affiliation value
eduperson_assurance
Returns the users eduperson_assurance  value
eduperson_orcid
Returns the users eduperson_orcid  value
eduperson_principal_name
Returns the users eduperson_principal_name  value
eduperson_scoped_affiliation
Returns the users eduperson_scoped_affiliation  value
schac_home_organization
Returns the users schac_home_organization value



Note: a claim for a user will only be provided if their home organisation provides the specific attribute. For example most universities will NOT provide phone numbers for their users.

Details

Before registering an OIDC service, deployers must have sufficient experience in undertaking OIDC integration work to create their own Relying Party (RP) components with minimal help from the AAF technical team. There are several open-source libraries which implement most of the RP requirements in several languages, GitHub is an excellent resource, as is the OpenID Foundation. https://openid.net/developers/libraries/. The AAF does not offer support or advice in this area, and the choice depends on the subscriber’s strengths and existing knowledge of OIDC integration. 


The AAF OP satisfies the OIDC conformance testing framework and passes the Authorization Code and Implicit flows. The AAF monitors the OP during business hours and responds to service interruption issues promptly.

 

To register a new OIDC RP please visit:


 AAF Production environment Please e-mail support@aaf.edu.au with the details below. (A new UI currently under development)
AAF Test environmentPlease e-mail support@aaf.edu.au with the details below. (A new UI currently under development) 
  1. The service’s redirect URL - a redirect URL based on an actual URL rather than IP address and must use HTTPS.
  2. A descriptive name for the service.
  3. The organisation name, which must be an AAF subscriber, of the service.
  4. Indicate the service’s purpose - development/testing/production-ready.
  5. Your Keybase account id to share the credentials securely
  6. The environment you want to deploy to (Test or Production)


Once the technical team receives a registration, they will reach out and establish a secure messaging channel via https://keybase.io. New accounts on Keybase are currently free of charge. Over the secure communication channel, the technical team will supply values for the RP service generated during the registration process, including Client ID and secrets.

 

The AAF OIDC service supports querying the OP Configuration Information endpoint to retrieve the features and capabilities of the OIDC service. The AAF OP provides two endpoints, one for Production Federation and one for Test Federation, respectively:

https://central.aaf.edu.au/.well-known/openid-configuration

https://central.test.aaf.edu.au/.well-known/openid-configuration.


Details for the Production Federation are here:

$ curl https://central.aaf.edu.au/.well-known/openid-configuration | jq

{
  "issuer": "https://central.aaf.edu.au",
  "authorization_endpoint": "https://central.aaf.edu.au/providers/op/authorize",
  "token_endpoint": "https://central.aaf.edu.au/providers/op/token",
  "jwks_uri": "https://central.aaf.edu.au/providers/op/jwks",
  "id_token_signing_alg_values_supported": [
    "RS256",
    "ES384"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "phone",
    "aueduperson",
    "eduperson_affiliation",
    "eduperson_assurance",
    "eduperson_entitlement",
    "eduperson_orcid",
    "eduperson_principal_name",
    "eduperson_scoped_affiliation",
    "schac_home_organization"
  ],
  "userinfo_endpoint": "https://central.aaf.edu.au/providers/op/userinfo",
  "claim_types_supported": [
    "normal"
  ],
  "claims_locales_supported": [
    "en"
  ],
  "claims_parameter_supported": false,
  "display_values_supported": [
    "page"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "op_policy_uri": "https://central.aaf.edu.au/documentation/policy",
  "op_tos_uri": "https://central.aaf.edu.au/documentation/tos",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "query",
    "fragment"
  ],
  "service_documentation": "https://central.aaf.edu.au/documentation/developers",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "ui_locales_supported": [
    "en"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256",
    "ES384"
  ]
}


Links

AAF Production OIDC Provider https://central.aaf.edu.au/.well-known/openid-configuration 

AAF Test OIDC Provider https://central.test.aaf.edu.au/.well-known/openid-configuration 

OpenID OIDC Developer Libraries https://openid.net/developers/libraries/ 

OpenID OIDC Overview https://openid.net/specs/openid-connect-core-1_0.html#Overview 

OpenID OIDC Terminology https://openid.net/specs/openid-connect-core-1_0.html#Terminology